When bit 20th, as shown above, is set bit D5 in bmAttributes of the Standard Configuration Descriptor must be set to 1.

dwFeatures

#

%

0x00010230

36

14.17 %

0x000100BA

27

10.63 %

0x00020840

20

7.87 %

0x000207B2

19

7.48 %

0x00010030

18

7.09 %

0x000204BA

11

4.33 %

0x0002047E

10

3.94 %

0x000404B2

10

3.94 %

0x000406BA

10

3.94 %

0x000404BE

9

3.54 %

0x000404BA

8

3.15 %

0x000204BE

6

2.36 %

0x00010330

5

1.97 %

0x00040042

5

1.97 %

0x000101BA

4

1.57 %

0x000102BA

4

1.57 %

0x00000840

3

1.18 %

0x000100B6

3

1.18 %

0x00020472

3

1.18 %

0x000400FE

3

1.18 %

0x00000030

2

0.79 %

0x0001007A

2

0.79 %

0x00010200

2

0.79 %

0x0001023C

2

0.79 %

0x00020040

2

0.79 %

0x00020672

2

0.79 %

0x000206BA

2

0.79 %

0x0004047E

2

0.79 %

0x000404B0

2

0.79 %

0x000004B2

1

0.39 %

0x00010000

1

0.39 %

0x00010002

1

0.39 %

0x00010070

1

0.39 %

0x00010130

1

0.39 %

0x00010138

1

0.39 %

0x00010238

1

0.39 %

0x0001023A

1

0.39 %

0x000102B8

1

0.39 %

0x000103B1

1

0.39 %

0x000104BA

1

0.39 %

0x00020042

1

0.39 %

0x0002004E

1

0.39 %

0x0002005E

1

0.39 %

0x00020430

1

0.39 %

0x000204B2

1

0.39 %

0x000205B2

1

0.39 %

0x000205B8

1

0.39 %

0x00020870

1

0.39 %

0x000405F2

1

0.39 %

0x00040672

1

0.39 %

0x00040840

1

0.39 %

The dwFeatures field is the most complex field in a CCID descriptor. The numerical value is not really informative. You have to parse the value to extract every bit of information.

We will now parse dwFeatures field by field. I will not explain each possible value. Have a look at the CCID specification or my CCID driver file ifdhandler.c in the function IFDHSetProtocolParameters().

ICCD: 00000800h

level of exhange

Data analysis

It is difficult to say if a reader should or should not support a particular feature.

One easy case is the level of exchange. As explained in Extended APDU support not all readers can support extended APDUs. If your application and your card is using extended APDU you shall use a reader with extended APDU support. That is either a TPDU or a short and extended APDU reader. 44.49 % + 20.47 % = 64.96% of the readers support extended APDU.

Regarding the other features the choice is between:

a feature implemented by the reader

Simpler driver

Impossible to patch in the driver if the reader firmware or a smart card is bogus

a feature implemented by the driver

More complex driver

Possible to modify the driver to adapt the feature to special cases (bogus reader firmware or bogus smart card)

My CCID driver is already "complex" with support of most the features. Some features are not yet supported but nobody asked from them. So I imagine they are not important.

So, except for the extended APDU support, the other features presented here are not so important. It may be more important for you to check if the reader supports the communication speed of your smart card, or the voltage of your card.

Wednesday, November 26, 2014

The features field is NOT a value from the CCID USB descriptor. It is a field I added to indicate special features of some readers.

features

#

%

features PIN Verification

39

15.35 %

features PIN Modification

36

14.17 %

features contactless

31

12.20 %

features ICCD

25

9.84 %

features Multi interface reader

14

5.51 %

features 2 slots

11

4.33 %

features Second interface

7

2.76 %

features biometric

7

2.76 %

features 3 slots

3

1.18 %

features 5 slots

3

1.18 %

features ExpressCard

3

1.18 %

features firewall

3

1.18 %

features 4 slots

1

0.39 %

features serial

1

0.39 %

Some features can be extracted from the USB descriptor like PIN
Verification, PIN Modification, ICCD, number of slot. But the other
features are added manually.

A majority of readers have no special feature. It is not directly visible from the table above because some readers have 2 or more features at the same time. For example all readers with PIN modification can also do PIN verification. But the reverse is not true. 3 readers can do PIN verification but not PIN modification.

If you want to find readers with a special feature, like contactless, I recommend to sort the reader matrix by 'features' field. It is then easy to find the readers with the feature you are looking for.

SmartcardCCID

This reflect the change of the CCID driver from version 1.3.11 to version 1.4.14.
Apple also upgraded libusb from version 0.1.13b to version 1.0.9.

The CCID driver is now compiled with USE_COMPOSITE_AS_MULTISLOT option. That explains why composite devices are now supported.
It would have been better to support composite devices at the pcscd (or equivalent, com.apple.ifdreader.slotd?) level. USE_COMPOSITE_AS_MULTISLOT is a hack that does work only for Gemalto Prox DU and Prox SU readers.

SecurityTokend

The change is really minimal. The mig.mk script changed to use the command xcrun (xcrun - Run or locate development tools and properties) to run the command mig (mig - Mach Interface Generator).

The tokend is deprecated but still maintained (a bit). This project provides the SecurityTokend framework used by the different tokend in the Tokend component. The SecurityTokend framework is still provided by Xcode in /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/
SDKs/MacOSX10.10.sdk/System/Library/PrivateFrameworks/SecurityTokend.framework.

Conlusion

New version of the CCID driver.

New PC/SC layer. The source code of the replacement of pcsc-lite (com.apple.ctkpcscd.xpc and com.apple.ifdreader.slotd) is not (yet) available. Maybe Apple will never release it. So only Apple will be able to fix the numerous bugs present in this new component.

I do not like the evolution of the smart card layer to a closed source software.

ICCD Version B devices are a special version of CCID and in this case the normal value is 261 bytes since the CCID header is not used. The command is sent using a control request and not a bulk message.

So only the IIT E.Key Almaz-1C reader is bogus and limited to a maximum of 249 bytes of data in an APDU.

See the CCID driver README file for a list of the changes between 1.3.11 and 1.4.14. I will not list 4 years of changes here.

New readers supported

121 readers have been added between 1.3.11 and 1.4.14. They are:

Access IS ePassport Reader

ACS ACR101 ICC Reader

ACS AET65

ACS APG8201 PINhandy 1

ACS APG8201 USB Reader with PID 0x8202

ACS CryptoMate64

Akasa AK-CR-03, BZH uKeyCI800-K18

Aktiv Rutoken lite readers

Aktiv Rutoken PINPad Ex

Aktiv Rutoken PINPad In

Alcor Micro AU9522

Alcor Micro AU9540

Ask CPL108

Atmel AT90SCR050

Atmel AT90SCR100

Atmel VaultIC420

Atmel VaultIC440

Atmel VaultIC460

Avtor SC Reader 371

Avtor SecureToken

BIFIT iBank2Key

BIFIT USB-Token iBank2key

Bit4id CKey4

Bit4id cryptokey

Bit4id iAM

Bit4id miniLector

Bit4id miniLector-s

Broadcom 5880

C3PO LTC36

CCB eSafeLD

Cherry SmartTerminal XX7X

Covadis Auriga

Dectel CI692

DIGIPASS KEY 202

Feitian ePass2003 readers

Feitian SCR310 reader (also known as 301v2)

Free Software Initiative of Japan Gnuk token readers

Fujitsu SmartCase KB SCR eSIG

Gemalto Ezio CB+

Gemalto Ezio Shield

Gemalto Ezio Shield Branch

Gemalto Ezio Shield PinPad

Gemalto Ezio Shield PinPad reader

Gemalto GemCore SIM Pro firmware 2.0 (using USB)

Gemalto Hybrid Smartcard Reader

Gemalto IDBridge CT30

Gemalto IDBridge K30

Gemalto IDBridge K3000

Gemalto SA .NET Dual

Gemalto Smart Guardian (SG CCID)

German Privacy Foundation Crypto Stick v1.2

Giesecke & Devrient StarSign CUT

GIS Ltd SmartMouse USB

GoldKey PIV Token

HID OMNIKEY 5127 CK

HID OMNIKEY 5326 DFR

HID OMNIKEY 5427 CK

id3 CL1356T5

Identive CLOUD 2700 F Smart Card Reader

Identive CLOUD 2700 R Smart Card Reader

Identive CLOUD 4500 F Dual Interface Reader

Identive CLOUD 4510 F Contactless + SAM Reader

Identive CLOUD 4700 F Dual Interface Reader

Identive CLOUD 4710 F Contactless + SAM Reader

Ingenico WITEO USB Smart Card Reader (Base and Badge)

Inside Secure AT90SCR050

Inside Secure AT90SCR100

Inside Secure AT90SCR200

Inside Secure VaultIC 420 Smart Object

Inside Secure VaultIC 440 Smart Object

Inside Secure VaultIC 460 Smart Object

Kingtrust Multi-Reader

KOBIL mIDentity 4smart

KOBIL mIDentity 4smart AES

KOBIL mIDentity 4smart fullsize AES

KOBIL mIDentity fullsize

KOBIL mIDentity visual

KOBIL Smart Token

KOBIL Systems IDToken

Macally NFC CCID eNetPad reader

Neowave Weneo

new Neowave Weneo token

NXP PR533

Oberthur ID-ONE TOKEN SLIM v2

OmniKey 6321 USB

Planeta RC700-NFC CCID

Precise Sense MC reader (with fingerprint)

REINER SCT cyberJack go

ReinerSCT cyberJack RFID basis

SafeTech SafeTouch

SCM Microsystems Inc. SCL010 Contactless Reader

SCM Microsystems Inc. SDI011 Contactless Reader

SCM SCL011

SCM SCR3500

SCM SDI 011

SCR3310-NTTCom USB SmartCard Reader

SCR3310-NTTCom USB (was removed in version 1.4.6)

SDS DOMINO-Key TWIN Pro

SecuTech SecuTech Token

Smart SBV280

SpringCard H512 Series

SpringCard H663 Series

SpringCard NFC'Roll

Teridian TSC12xxF

THRC reader

Tianyu Smart Card Reader

Todos AGM2 CCID

Todos CX00

Ubisys 13.56MHz RFID (CCID)

Vasco DIGIPASS 920

Vasco DIGIPASS KEY 101

Vasco DIGIPASS KEY 200

Vasco DIGIPASS KEY 200

Vasco DIGIPASS KEY 860

Vasco DIGIPASS KEY 860

Vasco DP855

Vasco DP865

Xiring Leo v2

Xiring MyLeo

Yubico Yubikey NEO CCID

Yubico Yubikey NEO OTP+CCID

PC/SC known bugs fixed in Yosemite

This new version of PC/SC fixes some bugs present in the previous version of OS X (Mavericks and before).

This list is not exhaustive. I had a look at the bugs I reported at https://bugreport.apple.com/ (also known as radar) and that were closed by Apple.
Maybe you reported to Apple some PC/SC problems I do not know and these problems are now fixed in Yosemite. Feel free to tell me about it.

Extended APDU case 2 no more limited to 1958 bytes

It is now possible to get up to 64k bytes from a card using an extended APDU.
(radar bug #9983001)

Possibility to use composite CCID devices

It is now possible to use a USB device with more than 1 CCID interface.

com.apple.ifdreader.slotd

Binary is /System/Library/CryptoTokenKit/com.apple.ifdreader.slotd/Contents/MacOS/com.apple.ifdreader.

This process loads the smart card reader driver (for example ifd-ccid.bundle in /usr/libexec/SmartCardServices/drivers/) and is in relation with com.apple.ctkpcscd.xpc.

This process also uses the library com.apple.CryptoTokenKit (binary /System/Library/Frameworks/CryptoTokenKit.framework/Versions/A/CryptoTokenKit).

problems

How to get logs from a reader driver? It was easy to use /usr/sbin/pcscd --debug --forground to get the driver debug messages in the terminal. It is no more available :-(

PC/SC in JavaScriptAppleEvents?

I found the file /System/Library/PrivateFrameworks/JavaScriptAppleEvents.framework/Versions/A/Resources/BridgeSupportCache/PCSC.plist. This file contains a description of the PC/SC functions (like SCardTransmit) and also old libMuscleCard functions (like MSCWriteObject).

I don't know yet what can be done with this file. But since it is in PrivateFrameworks I do not expect to find much documentation.

CryptoTokenKit

API

The headers files are in /System/Library/Frameworks/CryptoTokenKit.framework/Headers. The API is in Objective C language. I would have preferred the new Apple programming language Swift (or just plain C).

Relation with PC/SC

When running the sample application mentioned above I note that no com.apple.ctkpcscd.xpc is started. So the CryptoTokenKit library may talk directly to com.apple.ifdreader.slotd and not use PC/SC at all.
Apple wants to replace PC/SC by a new API?

The CryptoTokenKit API definesTKSmartCard* functions. But not TKPcsc* functions as found in
com.apple.ctkpcscd.xpc. What are these TKPcsc* functions?

It looks like CryptoTokenKit will replace PC/SC on OS X. I was hopping for a replacement of tokend and CDSA that are deprecated since Lion (3 OS X versions from now).

CryptoTokenKit is a new API. Maybe it will be available on other systems than OS X (like GNU/Linux). But since the API is in Objective C I don't think it will interest much people to work on such an API.

It will be more difficult to write a project that would build and run on Windows, GNU/Linux and OS X if the smart card API is not the same on the 3 systems. The PC/SC API has not yet been deprecated. So it is still possible to use this API for now.

PC/SC new bugs

Apple made big changes in the smart card layer. With big changes comes bugs and regression.

I plan to list the known bugs and regressions in another article (this one is already too long). If you know a regression in Yosemite regarding the smart card layer, please tell me so I can add it to the list.

Conclusion

Still a lot of unanswered questions. Some new bugs in the new PC/SC layer. And no news about the tokend replacement.

The main question is: why has Apple replaced PC/SC by a new API? What is the plan? Will CryptoTokenKit be available also on iOS to talk to a secure element?